Message ID | 20190622000358.19895-11-matthewgarrett@google.com (mailing list archive) |
---|---|
State | Not Applicable, archived |
Headers | show |
Series | None | expand |
On Fri 2019-06-21 17:03:39, Matthew Garrett wrote: > From: Josh Boyer <jwboyer@fedoraproject.org> > > There is currently no way to verify the resume image when returning > from hibernate. This might compromise the signed modules trust model, > so until we can work with signed hibernate images we disable it when the > kernel is locked down. I keep getting these... IIRC suse has patches to verify the images. Pavel
On Fri, Jun 21, 2019 at 05:03:39PM -0700, Matthew Garrett wrote: > From: Josh Boyer <jwboyer@fedoraproject.org> > > There is currently no way to verify the resume image when returning > from hibernate. This might compromise the signed modules trust model, > so until we can work with signed hibernate images we disable it when the > kernel is locked down. > > Signed-off-by: Josh Boyer <jwboyer@fedoraproject.org> Reviewed-by: Kees Cook <keescook@chromium.org> -Kees > Signed-off-by: David Howells <dhowells@redhat.com> > Signed-off-by: Matthew Garrett <mjg59@google.com> > Cc: rjw@rjwysocki.net > Cc: pavel@ucw.cz > cc: linux-pm@vger.kernel.org > --- > include/linux/security.h | 1 + > kernel/power/hibernate.c | 3 ++- > security/lockdown/lockdown.c | 1 + > 3 files changed, 4 insertions(+), 1 deletion(-) > > diff --git a/include/linux/security.h b/include/linux/security.h > index 00a31ab2e5ba..a051f21a1144 100644 > --- a/include/linux/security.h > +++ b/include/linux/security.h > @@ -85,6 +85,7 @@ enum lockdown_reason { > LOCKDOWN_MODULE_SIGNATURE, > LOCKDOWN_DEV_MEM, > LOCKDOWN_KEXEC, > + LOCKDOWN_HIBERNATION, > LOCKDOWN_INTEGRITY_MAX, > LOCKDOWN_CONFIDENTIALITY_MAX, > }; > diff --git a/kernel/power/hibernate.c b/kernel/power/hibernate.c > index abef759de7c8..3a9cb2d3da4a 100644 > --- a/kernel/power/hibernate.c > +++ b/kernel/power/hibernate.c > @@ -32,6 +32,7 @@ > #include <linux/ctype.h> > #include <linux/genhd.h> > #include <linux/ktime.h> > +#include <linux/security.h> > #include <trace/events/power.h> > > #include "power.h" > @@ -70,7 +71,7 @@ static const struct platform_hibernation_ops *hibernation_ops; > > bool hibernation_available(void) > { > - return (nohibernate == 0); > + return nohibernate == 0 && !security_locked_down(LOCKDOWN_HIBERNATION); > } > > /** > diff --git a/security/lockdown/lockdown.c b/security/lockdown/lockdown.c > index 08fcd8116db3..ce5b3da9bd09 100644 > --- a/security/lockdown/lockdown.c > +++ b/security/lockdown/lockdown.c > @@ -21,6 +21,7 @@ static char *lockdown_reasons[LOCKDOWN_CONFIDENTIALITY_MAX+1] = { > [LOCKDOWN_MODULE_SIGNATURE] = "unsigned module loading", > [LOCKDOWN_DEV_MEM] = "/dev/mem,kmem,port", > [LOCKDOWN_KEXEC] = "kexec of unsigned images", > + [LOCKDOWN_HIBERNATION] = "hibernation", > [LOCKDOWN_INTEGRITY_MAX] = "integrity", > [LOCKDOWN_CONFIDENTIALITY_MAX] = "confidentiality", > }; > -- > 2.22.0.410.gd8fdbe21b5-goog >
On Sat, 22 Jun 2019, Pavel Machek wrote: > > There is currently no way to verify the resume image when returning > > from hibernate. This might compromise the signed modules trust model, > > so until we can work with signed hibernate images we disable it when the > > kernel is locked down. > > I keep getting these... > > IIRC suse has patches to verify the images. Yeah, Joey Lee is taking care of those. CCing.
Hi experts, On Mon, Jun 24, 2019 at 03:21:23PM +0200, Jiri Kosina wrote: > On Sat, 22 Jun 2019, Pavel Machek wrote: > > > > There is currently no way to verify the resume image when returning > > > from hibernate. This might compromise the signed modules trust model, > > > so until we can work with signed hibernate images we disable it when the > > > kernel is locked down. > > > > I keep getting these... > > > > IIRC suse has patches to verify the images. > > Yeah, Joey Lee is taking care of those. CCing. > The last time that I sent for hibernation encryption and authentication is here: https://lkml.org/lkml/2019/1/3/281 It needs some big changes after review: - Simplify the design: remove keyring dependency and trampoline. - Encrypted whole snapshot image instead of only data pages. - Using TPM: - Direct use TPM API in hibernation instead of keyring - Localities (suggested by James Bottomley) I am still finding enough time to implement those changes, especial TPM parts. Thanks Joey Lee
diff --git a/include/linux/security.h b/include/linux/security.h index 00a31ab2e5ba..a051f21a1144 100644 --- a/include/linux/security.h +++ b/include/linux/security.h @@ -85,6 +85,7 @@ enum lockdown_reason { LOCKDOWN_MODULE_SIGNATURE, LOCKDOWN_DEV_MEM, LOCKDOWN_KEXEC, + LOCKDOWN_HIBERNATION, LOCKDOWN_INTEGRITY_MAX, LOCKDOWN_CONFIDENTIALITY_MAX, }; diff --git a/kernel/power/hibernate.c b/kernel/power/hibernate.c index abef759de7c8..3a9cb2d3da4a 100644 --- a/kernel/power/hibernate.c +++ b/kernel/power/hibernate.c @@ -32,6 +32,7 @@ #include <linux/ctype.h> #include <linux/genhd.h> #include <linux/ktime.h> +#include <linux/security.h> #include <trace/events/power.h> #include "power.h" @@ -70,7 +71,7 @@ static const struct platform_hibernation_ops *hibernation_ops; bool hibernation_available(void) { - return (nohibernate == 0); + return nohibernate == 0 && !security_locked_down(LOCKDOWN_HIBERNATION); } /** diff --git a/security/lockdown/lockdown.c b/security/lockdown/lockdown.c index 08fcd8116db3..ce5b3da9bd09 100644 --- a/security/lockdown/lockdown.c +++ b/security/lockdown/lockdown.c @@ -21,6 +21,7 @@ static char *lockdown_reasons[LOCKDOWN_CONFIDENTIALITY_MAX+1] = { [LOCKDOWN_MODULE_SIGNATURE] = "unsigned module loading", [LOCKDOWN_DEV_MEM] = "/dev/mem,kmem,port", [LOCKDOWN_KEXEC] = "kexec of unsigned images", + [LOCKDOWN_HIBERNATION] = "hibernation", [LOCKDOWN_INTEGRITY_MAX] = "integrity", [LOCKDOWN_CONFIDENTIALITY_MAX] = "confidentiality", };